Updating for App Transport Security

iOS 9 and tvOS both brought with them a new addition called App Transport Security. In short, it means that, in an effort to encourage wider use of https, vanilla http connections will be prevented from connecting unless an exception exists in the app’s Info.plist.

Both Portfolio and Studio Pro provide a companion Mac-based loading app. It provides a RESTful service on the local network to facilitate quickly loading media from a computer. This has operated solely over http, which is probably sufficient for use on a trusted, private network, but with an upcoming update I am making it possible to directly connect to a known address rather than only what is visible via the Bonjour broadcasts. In this situation it makes more sense to err on the side of security and switch it over to use https instead.

The Problem

Since the loader is effectively a web server, it needs both the public and private keys to provide an SSL connection. While I plan on including a default pair of these so it works immediately (and thus obtainable by anyone – I do not feel security with this is important enough to require the extra step in forcing users to use their own keys), I also want to make it possible for users who do need or want the security to be able to achieve it.

The secondary goal I have is to not require an iOS-accepted CA to sign the SSL certificate someone chooses to use, making it possible to use a self-signed SSL certificate. This means that I need to do one of two things to ensure security: make the apps enforce certificate pinning or CA certificate pinning. The former restricts the app to connecting only to a single, specific SSL certificate while the latter lets to connect to any loader with a certificate signed by the CA. I chose the latter option to allow for maximum flexibility.

A Solution

Portfolio and Studio Pro both use AFNetworking (Alamofire is the Swift equivalent) for interacting with the loader. Both of these provide a fairly easy way to evaluate the SecPolicyRef object provided by the system when checking for server trust.